Saturday, March 14, 2015

Setup Point-To-Site VPN to Microsoft Azure

Microsoft Azure accepts Point-To-Site VPN to connect a Microsoft Azure Virtual Network from a workstation or server. To configure Point-To-Site VPN to Microsoft Azure Virtual Network, you don't need any VPN device. All configurations are software based and can be done on a Windows 7 or later workstation. I'm going to configure Point-To-Site VPN for testing.

1 x Windows 10 64 bit workstation was installed Microsoft Visual Studio Express 2013 for Windows Desktop. This workstation is under 172.16.x.x network. I will use this workstation to set up VPN and then connect to Microsoft Azure virtual network

I will use a IP address to connect a virtual machine on this virtual network so I don't enter any DNS servers information.

4. Click "Next" button.

5. On "Point-to-Site Connectivity" window, you can only select private network because these IP will be assigned to VPN clients.

At this time, I select 192.168.0.0 IP address range for VPN clients.

The maximum IP address range for VPN clients is 24 bit. There are total 254 IP addresses.6. Click "Next" button.

7. On "Virtual Network Address Spaces" window, I choose 10.0.0.0/8 Address Space. Then, I create a subnet which is 10.0.1.0/24 for virtual machine and I also added 10.0.0.0 /29 to this virtual network to be a subnet gateway.

According to Microsoft, gateway service that we run to enable cross-premises connectivity. We need 2 IP addresses from your routing domain for us to enable routing between your premises and the cloud. We require you to specify at least a /29 subnet from which we can pick IP addresses for setting up routes.

Please note that you must not deploy virtual machines or role instances in the gateway subnet.

8. Click "Finish" button.

Create a dynamic routing gateway in VPNNetwork

1. On "VPNNetwork" page, click "Create Gateway" button.

2. Click "Yes" to create.

Then, we can see the notification about creating a gateway on Microsoft Azure Portal. It needs to take about 20 minutes to create a gateway for this virtual network.

Additional information: One of my virtual network stopped at this screen on Microsoft Azure portal. I cannot remove that network at this moment by Portal or PowerShell. Make sure you don't make any change when the gateway is being created.

Then, the gateway IP address is ready.Generate a root certificate and upload certificate to the virtual networkIf the workstation has been installed Microsoft Visual Studio Express 2013 for Windows Desktop, makecert.exe is located at the following paths.

1. On the Command Prompt, navigate to the "C:\Program Files (x86)\Windows Kits\8.1\bin\x64".

We're going to use the same workstation to generate the client certificate for VPN connection. Actually, you don't need to install Microsoft Visual Studio Express 2013 for Windows Desktop to all VPN clients. Microsoft Visual Studio Express 2013 for Windows Desktop is applied to generate the root and client certificates. It's okay to assign 1 workstation for generating certificates. In my lab environment, I used the workstation to do both tasks.

To generate a client certificate, make sure you have installed root certificate on the same computer.